Flock Camera Controversies
Flock Camera Security Risks
The Flock debate is usually framed as privacy versus public safety. The harder procurement question is simpler: can a city prove the camera network is secure, audited, and controlled before it points more cameras at public roads?
The short version
Flock camera security is now part of the public controversy around automatic license plate readers. The issue is not only whether police departments should use ALPR cameras. It is whether cities can prove the network, credentials, audit logs, and sharing controls are secure enough for a public surveillance system.
In January 2026, security researcher Jon Gaines wrote that he found 67 Flock Safety live PTZ camera or LPR feeds and debug web interfaces exposed without authentication to the internet. State of Surveillance reported separately that 404 Media confirmed at least 60 exposed cameras and that Senator Ron Wyden called for an FTC investigation.
Flock's public response says the company has never been hacked and that there has not been a leak of Flock information. But for city buyers, the practical question is broader than whether Flock calls an incident a hack. It is whether the contract, settings, access controls, and audit logs can survive public review.
What researchers reported
GainSec's January 9, 2026 post says the researcher found 67 instances of Flock Safety camera feeds and debug web interfaces exposed without authentication. The post describes live PTZ camera or LPR feeds and debug interfaces that were accidentally exposed to the internet.
State of Surveillance summarized the same episode as a public-internet exposure of Flock camera feeds. The article said 404 Media confirmed at least 60 exposed cameras, while Gaines catalogued 67 exposed feeds and debug interfaces.
Those are public-source claims, not a city audit. Still, they matter for procurement because Flock cameras are not ordinary IT assets. They capture public-road movement data, often under police or city contracts, and they sit inside a larger data-sharing and search system.
What Flock said
Flock's own January 6, 2026 blog post, titled Has Flock Been Hacked?, says: 'No, Flock has never been hacked, and there has not been a leak of Flock information.'
Flock's trust page also says access is managed by local agencies and limited to authorized users with role-based permissions. The same page says every search is tied to a specific user and recorded automatically, with no open browsing and no anonymous searches.
Those statements are important because they define what a city should test. If a vendor says every search is tied to a user and local agencies control access, a city should require logs, role lists, MFA status, sharing settings, and incident-response language before approving or renewing the system.
Why audit logs changed the debate
Have I Been Flocked says its data consists of audit logs tracking searches made within the Flock system. The site says those logs come from public-records requests and Flock transparency portals, and that the dataset is incomplete.
On July 13, 2026, the site's public stats payload showed 412,998,849 total records, 225,428,196 searches, and a most recent search timestamp of July 1, 2026. Those numbers describe Have I Been Flocked's public dataset, not all Flock activity nationwide.
That scale is why audit logs matter. A city cannot safely treat ALPR security as a normal vendor checkbox. If search logs can later reveal who queried plates, which agency searched, what reason was entered, and whether names were redacted, the city needs a plan for both cybersecurity and public-records disclosure.
The credential problem
State of Surveillance reported that Senator Wyden and Rep. Raja Krishnamoorthi sent a November 2025 letter to the FTC about Flock cybersecurity concerns. The article said the lawmakers pointed to stolen customer credentials and a lack of mandatory multi-factor authentication.
Because the PDF letter was publicly linked but not machine-readable in this run, the article should be treated as a secondary source for that summary. The procurement takeaway is still clear: cities should not rely on password-only access for a police surveillance platform.
A city council should ask whether MFA is mandatory for every local user, whether phishing-resistant MFA is available, how stolen credentials are detected, how quickly accounts can be disabled, and whether the city receives notice when an agency account is compromised.
How cities should write security into the contract
The contract should require mandatory MFA, named-user access, role-based permissions, monthly user reviews, immutable audit logs, and written incident notice deadlines. It should also say who can approve new agency shares, statewide lookup, national lookup, hotlist access, and any federal search path.
Cities should ask for a public security memo before renewal. The memo should list active users, disabled users, sharing partners, outside-agency searches, federal searches, audit-log exports, failed login events, vendor incidents, and any camera exposure or maintenance issue.
If the vendor says customer data is controlled locally, the city should be able to prove local control in public. That means showing who can search, who can share, who can change settings, who can see audit logs, and what happens when a camera or account is exposed.
Why this belongs in every renewal vote
OPB reported in January 2026 that Bend, Oregon turned off Flock cameras after community outcry over automatic license plate reader technology. OPB's related coverage also noted other Northwest communities that ended or paused Flock use after privacy, immigration, and unnecessary-search concerns.
Those city fights are often described as political or privacy disputes. But the security question sits underneath them. Residents are not only asking whether police can solve cases. They are asking whether the city can protect the data and prove the system is not being misused.
For council members, the safest posture is to treat Flock as a surveillance database, not a camera purchase. If the city cannot verify access control, audit logs, MFA, data sharing, and incident notice, it should not call the renewal routine.
The bottom line
Flock camera security is no longer a background IT issue. Public reports about exposed camera feeds, credential concerns, large audit-log datasets, and city cancellations have made it a front-line procurement issue.
Flock says it has not been hacked and says customers control their data. Cities should make those claims auditable before buying more cameras or renewing old contracts.
The city council test is simple: if officials cannot explain who can access the system, how searches are logged, whether MFA is mandatory, how sharing is controlled, and what happens after a security incident, they are not ready to approve the cameras.
Sources used
GainSec, Finding 67 Flock Safety Live PTZ Camera/LPR Feeds and Debug Web Interfaces accidentally exposed without authentication to the internet, January 9, 2026: https://gainsec.com/2026/01/09/bird-hunting-season-finding-67-live-camera-feeds-and-debug-web-interfaces-accidentally-exposed-by-flock-safety/
State of Surveillance, Flock Safety Cameras Exposed, January 25, 2026: https://stateofsurveillance.org/news/flock-safety-cameras-exposed-no-password-2026/
Flock Safety, Has Flock Been Hacked?, January 6, 2026: https://www.flocksafety.com/blog/has-flock-been-hacked
Flock Safety, Privacy, Data & Civil Liberties Policies: https://www.flocksafety.com/trust
Flock Safety, License Plate Reader Policy: https://www.flocksafety.com/legal/lpr-policy
Have I Been Flocked?, Search Flock ALPR Audit Logs and public statistics payload, checked July 13, 2026: https://haveibeenflocked.com/
OPB, Bend is the latest Oregon city to turn off Flock cameras, January 8, 2026: https://www.opb.org/article/2026/01/08/bend-flock-cameras-ai-license-plate-camera-law-enforcement/